HEURISTIC ALGORITHMS 


_ Zero-Knowledge Proofs 


A new heuristic method lets you prove your identity without 
revealing a password or other information 


RECOGNIZING THE DIFFERENCE 
between an authorized user and a fake is a 
difficult problems for computers. Tradi- 
tional password systems and other heuris- 
tics for controlling access can never be 
made perfectly secure because a com- 
puter can judge only the signals it re- 
ceives, not whether the binary bits are the 
product of a sincere, authorized user or of 
an impostor providing the same input. 

Now, new mathematical techniques 
known as zero-knowledge proofs can 
strengthen these heuristic approaches by 
providing complex interactive passwords 
for users, passwords that cannot be faked 
by anyone who happens to intercept the 
message—or even by the host computer 
_ itself. The chief developers of the new 
methods are Oded Goldreich of Haifa 
University, Silvio Micali and Shafi Gold- 
wasser of MIT, Manuel Blum of Berke- 
ley, Charles Rackoff of the University of 
Toronto, and others (see reference 1). 

Zero-knowledge proofs differ from 
regular mathematical proofs in two epis- 
temologically curious ways: They hide 
the truth while defending its validity, and 
they are played out much like a card 
game. In a zero-knowledge-based ex- 
change, the prover first makes an asser- 
tion. The skeptic verifies the assertion 
and specifies the next fact he or she would 
- like to hear. The prover responds with an- 
other assertion. The exchange continues 
until the skeptic is satisfied. 

What makes this ordinary-sounding 
interrogation process unique is that the 
individual assertions taken together re- 
veal no privileged information except the 
fact that the prover isn’t lying; the skeptic 





Peter Wayner 


can safely conclude that the prover is in- 
deed the person he or she claims to be. 


A Preliminary Example 

Arms-control treaties, because they are 
plagued by mistrust, are a good prelimi- 
nary example for understanding how an 
interaction can hide information while 
providing some kind of validation. 

Suppose a nation wants to prove it does 
not have nuclear warheads at a storage 
plant without revealing exactly how many 
conventional warheads it has stockpiled. 
In one zero-knowledge approach, the 
representative from the proving nation 
randomly divides the warheads between 
two locked rooms. The examiner from 
the skeptical nation flips a coin to choose 
one of the rooms. The prover hands the 
skeptic the corresponding key so he can 
check the contents of the selected room. 
If the skeptic doesn’t find a nuclear war- 
head in the room, he can conclude there 
is only a one-in-two chance that the treaty 
is being violated. 

The prover nation locks both doors, re- 
arranges the warheads, and again lets the 
skeptic nation randomly select a room for 
viewing. After this examination, if no nu- 
clear weapons are found, the skeptic con- 
cludes there is only a one-in-four chance 
that the treaty is being violated. 

After 20 or 30 such iterations, the 
skeptic can be satisfied that even though 
he lacks absolute proof, the chance that 
he has chosen the wrong door every time 


is practically nil. Meanwhile, the prover . 


can be content that the exact number of 
missiles hasn’t been revealed. 
This isn’t a true zero-knowledge proof 


because it gives the skeptic a statistically 
converging estimate of the number of 
missiles. Nevertheless, it does illustrate 
several important facets of the method. 

First, the techniques never prove some- 
thing perfectly and incontrovertibly, but 
they always come as close as the two par- 
ties’ patience will allow. This is a draw- 
back for anyone who needs literal certifi- 
cation, but it should make no difference 
to practical people who realize how 
quickly 2” shrinks. Second, zero-knowl- 
edge proofs keep the prover honest by let- 
ting the skeptic demand any particular 
fact, while hiding the entire truth from 
the skeptic by letting him or her choose 
only a fraction at most. Third, these 
proofs rely upon one-way functions to 
protect the information. 

One-way functions are’ an important 
part of cryptography, enabling a person 
to encrypt information and place it in the 
open, secure in the knowledge that no in- 
verse function can be found to decipher 
the information. In the warheads exam- 
ple, the one-way function is the random 
division of warheads between the two — 
rooms. It is impossible to infer the total 
number of warheads from the number 
found in just one of the rooms. 

In mathematics, one-way functions are 
operations that have no inverse, or at least 
no readily discoverable inverse. For in- 

continued 


Peter Wayner is a graduate student in 
computer science at Cornell University. 
He can be reached at the Department of 


‘Computer Science, Cornell University, 


Ithaca, NY 14853. 


OCTOBER 1987 > BYTE 149 


The security can be 
further strengthened 
by requiring that each 
prover be able to 
handle any of 1000 
different x,y pairs. 





S:p=1 
; ((assume pis lying) 


ZERO-KNOWLEDGE PROOFS 


stance, given a list of prime numbers, you 
can easily generate a product. However, 
the inverse operation—factoring—can be 
so time-consuming as to be impractical 
when the number is large—say, 100 or 
more digits. The public-key-cryptogra- 
phy system (see reference 2) relies on the 
difficulty of factoring large numbers. 
Quadratic residuosity is another num- 
ber-theoretic property that gives a good 
one-way function (see reference 3). I will 
use it in a program that demonstrates the 
operation of a zero-knowledge proof. 


First, we need some theoretical back- 
ground. 


Quadratic Residues 

Given y relatively prime to x (i.e., x and y 
have no common factors except 1), y is 
said to be a quadratic residue of x if there 
exists a w such that w? mod x = y. For 
example, 9 and 10 are relatively prime, 
and 7? = 49 mod 10 = 9, so 9 is a qua- 
dratic residue of 10. 

For shorthand, let Z, symbolize the set 
of integers relatively prime to x and OR, 
symbolize the set of all elements in Z, that 
are quadratic residues of x. For instance, 
Zio = {1, 3, 7, 9} and QR,» = {1,9} since 
only those two numbers have square roots 
in Z,9: 1 = 1? mod 10 = 9? mod 10, and 9 
= 3? mod 10 = 7? mod 10. ’ 

Quadratic residuosity makes a good 
one-way function because it is easy to 
square a number modulo x but difficult to 
find the square root of a number modulo 
x when the number is relatively prime to x 
and the factors of x are unknown. 


P-choose Three other properties of quadratic 
veEZ, residues are important here. First, the 
Calculate Z=u? fastest way known to compute whether y 
is a quadratic residue of x is to start by © 
factoring x into primes. Since this is hard 
when x is the product of large prime num- 
bers (in excess of 100 digits each), a 
strong system must start with a very large 
‘ ist x. The zero-knowledge interaction will 

also reveal nothing about the factors of x. 
Second, every y € QR, has an equal 
number of square roots w such that w? 
mod x = y. The third property concerns 
products of two integers. If y,z © QR, 
then yz € QR,; if y © QR, but z € Z, — 
QR, then yz € Z, — QR,. These facts can 
be proved using group theory or at least 


P:use password 
w to calculate 
v=uwWw 


S:confirm 


Par clas thes verified by working through a few sample 
cases. 
A Working Example 


Sip=7, 
(recalculate 
probability) 


In the working example, the prover is 
given x and y and asked to prove that y is a 
quadratic residue without revealing its 
square root. The square root is, in effect, 
the password, and the zero-knowledge 
techniques let the prover keep the pass- 
word secret from the skeptic, while- still 
showing that he knows it. This prevents 
the password from being stolen by an 
eavesdropper. 

Here is a more detailed view of the pro- 
tocol. Keep in mind that all computations 
are done modulo x even when not explic- 
itly so stated. 

The skeptic S starts by giving the 
prover P the number pair (x,y). P will 
prove that he knows a square root w (i.e., 
w? mod x = y) without revealing what it 
is. P randomly selects u, a member of Z,, 
squares it, and sends the result z = wu? 
mod x to S. 


S;confirm 
Vv =xy 


S: 
satisfied 
? 





Figure 1: Flow diagram of a zero-knowledge dialog between skeptic S and prover 
P. Squares indicate data revealed over the communications link; circles represent 
internal processing. . 


150 BYTE * OCTOBER 1987 


S then sends P a random bit, 0 or 1. If 
the bit is 0, P must reply with u, and S 
confirms that u is indeed a square root of 
the first number z. If the bit is 1, P uses 
the secret value w to form the product v = 
uw mod x, which he sends to S. § checks 
that this value is indeed a square root of 
the product zy. (Remember, z = u? and y 
= w? so zy = u?w? = vy.) 

In either case, P’s correct response 
convinces S with a probability of % that P 
does know a square root of y. The process 
is repeated until the probability of cheat- 
ing grows small enough to satisfy S. Fig- 
ure 1 diagrams the process. 

The technique works because it is not 
possible for both u? and u?y to have 
square roots unless y is a member of QR,. 
Since P doesn’t know which he will be 
asked to provide (./u? or /u*y), he cannot 
try to’ fake the choice of u. However, 
since P reveals only u or uw, it is impos- 
sible for S (or an eavesdropper) to derive 
a square root w of y from the information 
provided. Without a w, it is impossible to 
calculate a square root of uy, as required 
to satisfy S. 

The BASIC program in listing 1 imple- 
ments this system for the sake of demon- 
stration. Both parties to the dialog are 
handled in separate routines of the pro- 
gram. The main program sets x and y, 
and then calls the two routines in turn 
using global variables to pass values be- 
tween the two. A short routine, based on 
Euclid’s algorithm, is used by both sub- 
routines to test relative primality. 

Several considerations are important to 
build a strong system. The first is making 
sure that x is large enough and has at most 
two factors (other than 1) of equal length. 
If x is prime, then the size of QR, is 
(x—1)/2. If x is the product of primes p, 
and p2, then QR, has ((p,—1)/2) 
((P2—1)/2). (This can be proven with 
group theory.) Since every y € QR, has 
the same number of square roots, it fol- 
lows that each has only two or four square 
roots. This reduces the possibility of 
finding a square root simply by guessing. 

The security of this system can be fur- 
ther strengthened by requiring that each 
prover be able to handle any of, say, 1000 
different x,y pairs. The skeptic computer 
chooses a pair at random, and the prover 
must prove (in the zero-knowledge sense) 
that y is a member of QR,. Having 1000 
possible sets of quadratic residues adds 
deterrence by increasing the computa- 
tional burden on any would-be intruder. 

Of course, there are caveats to the par- 
ticular zero-knowledge method outlined 
in this article, using quadratic residues. 
Its security relies heavily on the assump- 
tion that factoring numbers is too difficult 
to be done in a reasonable amount of 
time. If the numbers are chosen incor- 


ZERO-KNOWLEDGE PROOFS 
SATE GER RE Be RE ETE 


rectly, the system is not strong enough. 
Alternatively, if computer technology or 
mathematical theory advances sufficient- 
ly to make factoring a fast process, the 
quadratic residues method (and many 
more of today’s encryption systems) will 
be vulnerable. 


Practical Uses 

Zero-knowledge proofs require a great 

deal of computation and thus are prob- 

ably not adaptable to situations that rely 
continued 


A short routine, 
based on Euclid’s 
algorithm, is used 
by both subroutines 
to test relative 


primality. 
SPRAY EET OS LE ARTA RAD PARAS OD TRE 









at the end of the listing. 





RANDOMIZE 
x= 100 
~ DIM qr(100) 


* “slifiis relatively prime tox 


FORi=1TOx 
qr(i)=1 
NEXT i 
loop1: 
'Mark the primes and composites 
FOR i=2 TO x 
jai 
k=x 
again: 
IF j MOD k = 0 THEN 
qr(i) =0 
ELSEIF j MOD k = 1 THEN 
qr(i) =1 
ELSE 
JJ=J 
j=k MOD j 
k=}jJ 
GOTO again 
. ENDIF 
NEXT i 
loop2: 
‘Mark the quadratic residues 
FOR i=1 TOx 


NEXT i 
start: 
"Select ay at random 
w = INT(x*RND) 
‘Make sure it is a quadratic residue 
IF qr(w)=0 THEN GOTO start 
y = (w*w) MOD x 


PRINT 


'x and y are global variables 
'w is known only to the prover 


"between the prover and the skeptic 
FOR try=1 TO 10 

PRINT 

PRINT "Round: "; try 


proverl: 


‘Randomly select au in Z(x) 


Listing 1: A BASIC program, written in QuickBASIC, demonstrating the 
zero-knowledge-proof method using quadratic residues. A sample run is given 


'qr(i)=0 if i is relatively composite to x 


‘ =2 if 1 is relatively prime and is a quadratic residue 


IF qr(i)>O AND qr((i*1) MOD x)>0 THEN qr((i*i) MOD x) =2 


PRINT USING "Prover: (Secret password w = ###)";w 


PRINT USING "Skeptic: (x,y) = (### , ###)"; x,y 


'z,b,u,v are the four numbers exchanged 


prob = 1 'Initial probability that prover is lying 


"Set nl=w°2 MOD x and n2 = y*w"2 MOD x 













































* continued 






OCTOBER 1987 + BY TE 


151 


ZERO-KNOWLEDGE PROOFS 





u = INT(x*RND) 

IF qr(u)=0 THEN GOTO prover1 

z=(u*u) MOD x 

PRINT USING "Prover: z = ##";z2 
skeptici: 


'Sees z and asks for square root of z 


‘or square root of zy 
b=int(2*RND) 'b=Oor1 
Print using "Skeptic: b = #";b 
prover2: 
‘Returns the correct square root 
IF b=0 THEN 
PRINT USING "Prover: u = ##";u 
ELSE 
v = (u*w) MOD x 
PRINT USING "Prover: v = ##";v 
END IF 
skeptic2: 
'Checks the prover's response 
IF b=0 AND (u*u) MOD x = z THEN 


PRINT "Skeptic: (u*u) MOD x = z: Ok." 
ELSEIF b=1 AND (v*v) MOD x=(z*y) MOD x THEN 
PRINT "Skeptic: (v*v) MOD x = (z*y) MOD x: Ok." 


ELSE 
IF b=0 THEN 
PRINT "(u*u) MOD x <> 2" 
STOP 
ELSE 


PRINT "(v¥v) MOD x <> (2*y) MOD x=" 


STOP 
END IF 
END IF 
"Compute probability of lying 
prob=prob*.5 


PRINT "Skeptic: Probability of lying = ";prob 


NEXT try 


run 


Random Number Seed (-32768 to 32767)? 55 


Prover: (Secret password w = 77) 


Skeptic: (x,y) = (100 , 29) 


Round: 1 

Prover: z2=9 

Skeptic: b=1 

Prover: v = 69 

Skeptic: (v*v) MOD x = (z*y) MOD x: Ok. 
Skeptic: Probability of lying = .5 


Round: 2 

Prover: z = 69 

Skeptic: b=1 

Prover: v= 51 

Skeptic: (v*v) MOD x = (z*y) MOD x: Ok. 
Skeptic: Probability of lying = .25 





on human participation (such as the typ- 
ing in of a password, or the response to a 
series of questions). However, in a world 


’ that is rapidly replacing paper with elec- 


tronics, the zero-knowledge-proof meth- 
od promises to be quite useful. 

Banks, for instance, are heavily com- 
puterized businesses; increasingly, they 
rely on “‘smart cards” as a means of veri- 
fying customer identity. Under these cir- 
cumstances, electronic eavesdropping 
can be as devastating to security and pri- 


152. BYTE * OCTOBER 1987 


Round: 3 

Prover: z = 89 
Skeptic: b=1 
Prover: v= 41 


Round: 4 
Prover: z =61 
Skeptic: b=0 
Prover: u = 69 
Skeptic: (u*u) MOD x = 2: Ok. 

Skeptic: Probability of lying = .0625 


Round: 5 

Prover: z = 89 
Skeptic: b=1 
Prover: v = 59 


Round: 6 

Prover: 2=49 
Skeptic: b=1 
Prover: v = 61 


- 


Round: 7 

Prover: z = 69 
Skeptic: b=1 
Prover: v = 49 


Round: 8 
Prover: z = 89 
Skeptic: b=1 
Prover: v=9 


Round: 9 

Prover: 2=21 
Skeptic: b =0 
Prover: u=1i1 


Round: 10 

Prover: 2 =49 
Skeptic: b=0 
Prover: u = 93 


vacy as simply overhearing or glimpsing 
a password. The problem extends to com- 
munications between computers over the 
electronic networks that dominate the 
money markets; it is quite feasible for one 
computer to mimic another simply by 
“playing” the correct data stream. Zero- 
knowledge proofs may be able to help in 
these situations. 

Zero-knowledge proofs will likely be a 
major factor in computer security sys- 
tems of the future. @ 


Skeptic: (v*v) MOD x = (z*y) MOD x: Ok. 
Skeptic: Probability of lying = .125 


Skeptic: (v*v) MOD x = (z*y) MOD x: Ok. 
Skeptic: Probability of lying = .03125 


Skeptic: (v*v) MOD x = (z*y) MOD x: Ok. 
Skeptic: Probability of lying = .015625 


\ 


Skeptic: (v*v) MOD x = (z*y) MOD x: Ok. 
Skeptic: Probability of lying = .0078125 


Skeptic: (v*v) MOD x = (z*y) MOD x: Ok. 
Skeptic: Probability of lying = 3.90625E-03 


Skeptic: (uu) MOD x =z: Ok. 
Skeptic: Probability of lying = 1.953125E-03 


Skeptic: (u*u) MOD x =z: Ok. 
Skeptic: Probability of lying = 9.765625E-04 





REFERENCES 

1. Goldreich, Oded, S. Micali, and A. Wig- 
derson. “Proofs that Yield Nothing but Their 
Validity.” In Proc. of the 27th Annual Sym- 
posium on the Foundations of Computer 
Science. IEEE Publication, 1986. ° 

2. Smith, John. “Public Key Cryptogra- 
phy.” BYTE, January 1983, page 198. 

3. Goldwasser, Shafi, and Silvio Micali. 
“Probabilistic Encryption.” Journal of 
Computer and System Sciences, vol. 28, no. 
2, April 1984. 


